Detecting stack cookie utilization in a binary software component using binary static analysis

ABSTRACT

Systems, methods, and software can be used to detect stack cookie utilization in a binary software component using binary static analysis. In some aspects, one computer-implemented method includes identifying a function defined in the binary software component, the function including one or more instructions; performing a binary static analysis of the function to determine whether the function utilizes stack cookie protection based on the one or more instructions including one or more stack cookie handling instructions; and in response to determining that the function utilizes stack cookie protection, updating a security report for the binary software component to indicate that the function utilizes stack cookie protection.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of priority of U.S. ApplicationSerial No. 62/612,972, filed on Jan. 2, 2018, which is incorporated byreference herein in its entirety.

TECHNICAL FIELD

The present disclosure relates to detecting stack cookie utilization ina binary software component using binary static analysis.

BACKGROUND

An execution stack (also referred to as simply a “stack”) is a sectionof memory used to store information about the current execution contextof a software program. For example, the stack of a software program mayinclude information about the currently executing function (known as thefunction's “stack frame”) such as local variables, a return addressindicating the function that called the currently executing function (towhich control is to be returned when the currently executing functionfinishes), and other information.

DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic diagram showing a system that detects stack cookieutilization in a binary software component using binary static analysis,according to an implementation.

FIG. 2 illustrates an example execution stack, according to animplementation.

FIG. 3 illustrates an example disassembled function analyzed todetermine whether it includes stack cookie protection, according to animplementation.

FIG. 4 is a flow diagram showing a method for detecting stack cookieutilization in a binary software component using binary static analysis,according to an implementation.

Like reference numbers and designations in the various drawings indicatelike elements.

DETAILED DESCRIPTION

In some cases, software programs may execute in systems connected to, oraccessible via, public networks such as the Internet. Malicious actorscan use various exploitative techniques to influence the behavior of anetwork-connected software program by manipulating the program's stack.One such technique, known as a buffer overflow attack, involves anattacker sending data to a software program that does not check the sizeof data it receives before copying the data into a fixed size memorylocation (e.g., a buffer). By sending a specially formatted data stringof the correct length, the attacker can overwrite the stack memoryadjacent to the buffer with arbitrary data. Using this technique, theattacker can take control of the computer upon which the softwareprogram executes, and cause it to execute arbitrary instructions.

Several techniques have been developed to mitigate against such attacks.One technique, known as “stack cookies,” involves placing a specialvalue or “cookie” on the stack at a boundary between a function's localdata and information (such as the return address) used to maintain theorganization of the stack. When the function returns, the stack locationwhere the cookie was stored is checked to ensure that the value has notbeen overwritten (e.g., by a buffer overflow attack). If the value inthe stack location matches the cookie value, the stack has not beenoverwritten, and the program continues executing. If the value in thestack location does not match the cookie value, the stack has beenoverwritten and the program exits. This technique effectively preventsan attacker from utilizing a buffer overflow attack to inject arbitraryinstructions, as such an attack will overwrite the cookie value andcause the program to exit before executing the injected instructions.However, if the user of the software component does not have access toits source code, which is often the case if the software is provided byan external vendor, it can be challenging for the user to verify thatthe software component actually implements stack cookie protection.Compiler programs used to build other software programs generally addmetadata to the software programs indicating which features, such asstack cookies, are compiled into the program. However, this metadata isnot always reliable, as some compilers may not include stack cookieprotection in every function in a program. The metadata can also bealtered to indicate that stack cookie protection is included in theprogram when in fact it is not.

The present disclosure describes techniques for detecting stack cookieutilization in a binary software component using binary static analysis.In one implementation, identifying a function defined in the binarysoftware component is identified. The function includes one or moreinstructions. A binary static analysis of the function is performed todetermine whether the function utilizes stack cookie protection based onthe one or more instructions including one or more stack cookie handlinginstructions. Binary static analysis involves examining a binarysoftware component (e.g., one that has been compiled) and determiningcharacteristics of the program from its binary structure alone, withoutexecuting the binary software component or examining its source code. Inresponse to determining that the function utilizes stack cookieprotection, a security report for the binary software component isupdated to indicate that the function utilizes stack cookie protection.

FIGS. 1-4 and associated descriptions provide additional details ofthese implementations. These approaches provide a mechanism to increasethe overall software quality of a system by verifying the use of stackcookies in a binary software component rather than trusting possiblymisleading indications in the component's metadata. In addition, thetechniques described herein do not require access to the component'ssource code, allowing a user of the software to perform the verificationindependent of the software vendor.

FIG. 1 is a schematic diagram showing a system 100 that detects stackcookie utilization in a binary software component using binary staticanalysis, according to an implementation. The system 100 includes abinary analysis component 102 including a binary analysis module 104 anda stack cookie detector 106.

The binary analysis component 102 comprises a system for performingbinary static analysis on software components to determine securitycharacteristics of the components. The binary analysis component 102 caninclude one or more computing devices executing software programs toperform the binary static analysis of software components and todetermine the corresponding security characteristics.

Binary static analysis involves examining the binary representation of acompiled binary software component to determine its attributes and todeduce its possible behaviors upon execution. Binary static analysis isperformed without reference to the source code that was compiled tocreate the binary software component, and is generally performed withoutexecuting the binary software component. For example, a software programcan perform binary static analysis on a binary software component byexamining the structure of the binary data making up the binary softwarecomponent. The binary static analysis program can identify attributes ofthe binary software component by examining an information headerincluded in the binary software component by the compiler that createdthe component. The binary static analysis program can also identifyattributes of the binary software component by examining the structureof the program itself, such as, for example, by identifying functionsdefined in the program, APIs used by the program, compiler defensivetechniques implemented in the functions defined in the program, andother features of the binary software component.

The binary analysis module 104 comprises a module within the binaryanalysis component 102 for performing the binary static analysisdescribed above. In some cases, the binary analysis module 104 mayexamine the structure of a binary software component to be analyzed, andmay utilize other components (such as the stack cookie detector 106discussed below) within the binary analysis component 102 to performcertain types of analysis on the binary software component. In somecases, the binary analysis module 104 may be a software component withinthe binary analysis component, such as a class, a library, a function,an object, or other type of software component.

Stack cookie detector 106 comprises a module within the binary analysiscomponent 102 that analyzes a binary software component to determinewhich functions defined in the binary software component implement stackcookie protection. As described in greater detail below, the stackcookie detector 106 may examine the instructions inside each functiondefined in the binary software component to determine whether thefunction includes instructions to place a stack cookie value on thestack when the function is called, and instructions to check whether thestack cookie value has been altered when the function returns. In somecases, the stack cookie detector 106 may receive as input the locationof a single identified function within the binary software component,and may return an indication of whether the identified functionimplements stack cookie protection. Stack cookie detector 106 may alsoreceive as input a function map for the binary software componentindicating the locations of functions defined within the component, andmay iterate through each function to produce an indication of whetherthe function implements stack cookie protection.

As shown, the binary analysis component 102 receives a binary softwarecomponent for analysis (120). The binary software component may beprovided to the binary analysis component 102 by an external system,such as, for example, a software development system, software deploymentsystem, or other systems. The binary analysis module 104 may analyze thereceived binary software component, and provide the binary softwarecomponent to the stack cookie detector 106 for analysis (108). The stackcookie detector 106 may analyze functions defined in the binary softwarecomponent to determine whether the functions implement stack cookieprotection, and provide a stack cookie coverage report 110 to the binaryanalysis module 104 including these indications.

In some cases, stack cookie coverage report 110 may be included in asecurity manifest produced by the binary analysis component 102 for thebinary software component. The binary analysis component 102 may providethe security manifest to an external system, as shown at 130. Theexternal system may use the security manifest to make decisionsregarding the binary software component. For example, the externalsystem may choose not to deploy a binary software component where thesecurity manifest indicates that the component includes functions thatdo not implement stack cookie protection.

FIG. 2 illustrates an example execution stack 200, according to animplementation. The execution stack 200 includes stack frames 270, 280,local data 210, 240, return addresses 220, 250, and function parameters230, 260.

Execution stack 200 represents a simplified execution stack for anexecuting binary software component in which a function called “foo( )”has called a function called “bar( ).” Function foo( ) is associatedwith stack frame 280 within the execution stack 200. Stack frame 280includes function parameters 260 that were passed to the function foo( )when it was called (i.e., by another function, not shown). Stack frame280 also includes a return address 250, which is a pointer to a stackframe associated with the function that called foo( ). Stack frame 280also includes local data 240. Local data 240 includes any localvariables defined in the function foo( ). For example, if the functionfoo( ) defined a string of length 10, the local data 240 would include asection of memory large enough to store 10 characters, and any valuedcopied into this string during execution would be copied into thissection of memory within local data 240.

Function bar( ) is associated with stack frame 270 within the executionstack 200. Stack frame 270 includes function parameters 230 that werepassed to the function bar( ) when it was called by function foo( ).Stack frame 270 also includes a return address 220, which is a pointerto a stack frame associated with the function that called bar( ). Inthis case, return address 220 would point to the beginning of stackframe 280 associated with function foo( ), because function foo( )called function bar( ). When function bar( ) returns, stack cleanupinstructions (including in the function epilogue for function bar( ))would read the return address 220 from the stack, remove stack frame 270from the stack, and cause execution to jump to the address noted byreturn address 220. Because function foo( ) called function bar( ), thiswould cause execution to jump to the instruction in function foo( )immediately after the call to function bar( ), and execution wouldcontinue inside function foo( ). Local data 210 includes any localvariables defined in the function bar( ). For example, if the functionbar( ) defined a string of length 10, the local data 210 would include asection of memory large enough to store 10 characters, and any valuedcopied into this string during execution would be copied into thissection of memory within local data 210.

FIG. 3 illustrates a system 300 in which a disassembled function 310 isanalyzed to determine whether it includes stack cookie protection,according to an implementation. Disassembled function 310 includes afunction prologue 320, function body 330, and a function epilogue 340.

Disassembled function 310 may be function within a binary softwarecomponent that has been identified using binary static analysis, asdescribed above. As shown, function 310 includes a number of assemblylanguage instructions. During execution of the binary softwarecomponent, when function 310 is called, the assembly languageinstructions included in function 310 are executed. The instructionswithin function 310 may include instructions from one or moreinstruction sets, such as, for example, the ARM instruction set, theTHUMB instruction, an Intel instruction set, a Zilog instruction set, orother types of instruction sets.

Function prologue 320 includes instructions that will be executed whenfunction 310 is called during execution. In some cases, functionprologue 320 includes stack cookie instructions configured to insert astack cookie value to mark the boundary of function 310's local datawithin the stack. Function prologue 320 may call an external function toretrieve the stack cookie value for insertion into the stack, such asthe “_security_cookie ( )” function called in the first instruction infunction prologue 320.

Function epilogue 340 includes instructions that will be executed whenfunction 310 returns after being called during execution. In some cases,function epilogue 340 includes stack cookie instructions configured tocheck whether the stack cookie value written to the stack by the stackcookie instructions in the function prologue 320 is still present in thestack at the boundary of function 310's local data. Function epilogue340 may call an external function to whether the value at this stacklocation matches the stack cookie value written by the function prologue320, such as the “_security_check_cookie ( )” function called infunction prologue 340.

Stack cookie detector 106 may examine the function prologue 320 todetermine whether it contains instructions to retrieve the stack cookievalue and insert it into the stack, such as the call to_security_cookie( ) in the function prologue 320. If the stack cookiedetector 106 determines that such a stack cookie instruction is presentin function 310, the stack cookie detector 106 may then examine thefunction epilogue to determine whether it contains instructions toretrieve the value from the expected stack cookie location within thestack, and compare the retrieved value to the stack cookie value writtenby the instructions in the function prologue 320. In some cases, ifstack cookie detector 106 determines that the function prologue 320includes instructions to write a stack cookie to the stack, and functionepilogue 340 includes instructions to retrieve and check the value ofthe stack cookie from the stack, stack cookie detector 106 may determinethat function 310 implements stack cookie protection. Stack cookiedetector 106 may then update a stack cookie coverage report 350 toindicate that function 310 implements stack cookie protection. In somecases, the stack cookie coverage report 350 may be part of a securitymanifest for the binary software component include function 310.

FIG. 4 is a flow diagram showing a method 400 for detecting stack cookieutilization in a binary software component using binary static analysis,according to an implementation. At 405, identifying a function includingone or more instructions and defined in the binary software component isidentified by a binary analysis component (e.g., 102).

At 410, a binary static analysis of the function is performed by a stackcookie detector (e.g., 106) to determine whether the function utilizesstack cookie protection based on the one or more instructions includingone or more stack cookie handling instructions. In some cases, the oneor more stack cookie handling instructions are configured, when executedby a processor, to insert a particular data sequence into an executionstack maintained by the processor when the function is called to mark aboundary of stack data associated with the function. The particular datasequence may be generated at compile time, or the one or more stackcookie handling instructions may include an instruction to generate theparticular data sequence when the function is called. In some cases, theone or more stack cookie handling instructions are configured, whenexecuted by the processor, to determine whether the particular datasequence remains in the execution stack when the function returns afterthe function is called. The one or more stack cookie handlinginstructions may be configured, when executed by the processor, to causeexecution of the binary software component to halt in response todetermining that the particular data sequence does not remain in theexecution stack when the function returns.

At 415, in response to determining that the function utilizes stackcookie protection, a security report for the binary software componentis updated by the stack cookie detector (e.g., 106) to indicate that thefunction utilizes stack cookie protection. In some cases, in response todetermining that the function does not utilize stack cookie protection,a security report for the binary software component is updated toindicate that the function does not utilize stack cookie protection.

Some of the subject matter and operations described in this disclosurecan be implemented in digital electronic circuitry, or in computersoftware, firmware, or hardware, including the structures described inthis disclosure and their structural equivalents, or in combinations ofone or more of them. Some of the subject matter described in thisdisclosure can be implemented as one or more computer programs, i.e.,one or more modules of computer program instructions, encoded on acomputer storage medium for execution by, or to control the operationof, data-processing apparatus. Alternatively or in addition, the programinstructions can be encoded on an artificially generated propagatedsignal, for example, a machine-generated electrical, optical, orelectromagnetic signal that is generated to encode information fortransmission to suitable receiver apparatus for execution by a dataprocessing apparatus. The computer-storage medium can be amachine-readable storage device, a machine-readable storage substrate, arandom or serial access memory device, or any combinations ofcomputer-storage mediums.

The terms “data-processing apparatus,” “computer,” or “electroniccomputer device” encompass all kinds of apparatus, devices, and machinesfor processing data, including, by way of example, a programmableprocessor, a computer, a system on a chip, or multiple ones, orcombinations of the foregoing. The apparatus can include special purposelogic circuitry, e.g., an FPGA (field programmable gate array) or anASIC (application specific integrated circuit). In some implementations,the data processing apparatus or special purpose logic circuitry (or acombination of the data processing apparatus or special purpose logiccircuitry) may be hardware- or software-based (or a combination of bothhardware- and software-based). The apparatus can optionally include codethat creates an execution environment for computer programs, forexample, code that constitutes processor firmware, a protocol stack, adatabase management system, an operating system, or a combination ofexecution environments. The present disclosure contemplates the use ofdata processing apparatuses with or without conventional operatingsystems, for example LINUX, UNIX, WINDOWS, MAC OS, ANDROID, IOS, or anyother suitable, conventional operating system.

A computer program, which may also be referred to, or described, as aprogram, software, a software application, a module, a software module,a script, or code, can be written in any form of programming language,including compiled or interpreted languages, or declarative orprocedural languages, and it can be deployed in any form, including as astand-alone program or as a module, component, subroutine, or other unitsuitable for use in a computing environment. A computer program may, butneed not, correspond to a file in a file system. A program can be storedin a portion of a file that holds other programs or data, for example,one or more scripts stored in a markup language document, in a singlefile dedicated to the program in question, or in multiple coordinatedfiles, for example, files that store one or more modules, sub-programs,or portions of code. A computer program can be deployed to be executedon one computer or on multiple computers that are located at one site,or distributed across multiple sites and interconnected by acommunication network. While portions of the programs illustrated in thevarious figures are shown as individual modules that implement thevarious features and functionality through various objects, methods, orother processes, the programs may instead include a number ofsub-modules, third-party services, components, libraries, and such, asappropriate. Conversely, the features and functionality of variouscomponents can be combined into single components, as appropriate.

Some of the processes and logic flows described in this disclosure canbe performed by one or more programmable processors, executing one ormore computer programs to perform actions by operating on input data andgenerating output. The processes and logic flows can also be performedby, and apparatus can also be implemented as, special purpose logiccircuitry, e.g., an FPGA (field programmable gate array) or an ASIC(application specific integrated circuit).

Processors suitable for the execution of a computer program include, byway of example, both general and special purpose microprocessors, andprocessors of any kind of digital computer. Generally, a processor willreceive instructions and data from a read-only memory or a random-accessmemory, or both. A processor can include by way of example aprogrammable processor, a computer, a system on a chip, or multipleones, or combinations of the foregoing. A processor can include specialpurpose logic circuitry, e.g., an FPGA (field programmable gate array)or an ASIC (application specific integrated circuit).

Computers suitable for the execution of a computer program can be basedon general or special purpose microprocessors, both, or any other kindof CPU. Generally, a CPU will receive instructions and data from aread-only memory (ROM) or a random access memory (RAM), or both. Theessential elements of a computer are a CPU, for performing or executinginstructions, and one or more memory devices, for storing instructionsand data. Generally, a computer will also include, or be operativelycoupled to, receive data from or transfer data to, or both, one or moremass storage devices for storing data, for example, magnetic,magneto-optical disks, or optical disks. However, a computer need nothave such devices. Moreover, a computer can be embedded in anotherdevice, for example, a mobile telephone, a personal digital assistant(PDA), a mobile audio or video player, a game console, a globalpositioning system (GPS) receiver, or a portable storage device, forexample, a universal serial bus (USB) flash drive, to name just a few.

Computer-readable media (transitory or non-transitory, as appropriate)suitable for storing computer program instructions and data include allforms of non-volatile memory, media and memory devices, including, byway of example, semiconductor memory devices, for example, erasableprogrammable read-only memory (EPROM), electrically erasableprogrammable read-only memory (EEPROM), and flash memory devices;magnetic disks, for example, internal hard disks or removable disks;magneto-optical disks; and CD-ROM, DVD+/−R, DVD-RAM, and DVD-ROM disks.The memory may store various objects or data, including caches, classes,frameworks, applications, backup data, jobs, web pages, web pagetemplates, database tables, repositories storing dynamic information,and any other appropriate information including any parameters,variables, algorithms, instructions, rules, constraints, or referencesthereto. Additionally, the memory may include any other appropriatedata, such as logs, policies, security or access data, reporting files,as well as others. The processor and the memory can be supplemented by,or incorporated in, special purpose logic circuitry. In some cases, thecomputer storage medium can be transitory, non-transitory, or acombination thereof.

To provide for interaction with a user, implementations of the subjectmatter described in this disclosure can be implemented on a computerhaving a display device, for example, a CRT (cathode ray tube), LCD(liquid crystal display), LED (Light Emitting Diode), or plasma monitor,for displaying information to the user and a keyboard and a pointingdevice, for example, a mouse, trackball, or trackpad by which the usercan provide input to the computer. Input may also be provided to thecomputer using a touchscreen, such as a tablet computer surface withpressure sensitivity, a multi-touch screen using capacitive or electricsensing, or other type of touchscreen. Other kinds of devices can beused to provide for interaction with a user as well; for example,feedback provided to the user can be any form of sensory feedback, forexample, visual feedback, auditory feedback, or tactile feedback; andinput from the user can be received in any form, including acoustic,speech, or tactile input. In addition, a computer can interact with auser by sending documents to, and receiving documents from a device thatis used by the user, for example, by sending web pages to a web browseron a user's client device in response to requests received from the webbrowser.

The term “graphical user interface,” or “GUI,” may be used in thesingular or the plural to describe one or more graphical user interfacesand each of the displays of a particular graphical user interface.Therefore, a GUI may represent any graphical user interface, includingbut not limited to, a web browser, a touch screen, or a command lineinterface (CLI) that processes information and efficiently presents theinformation results to the user. In general, a GUI may include aplurality of user interface (UI) elements, some or all associated with aweb browser, such as interactive fields, pull-down lists, and buttonsoperable by the business suite user. These and other UI elements may berelated to or represent the functions of the web browser.

Implementations of the subject matter described in this disclosure canbe implemented in a computing system that includes a back-end component,for example, as a data server, or that includes a middleware component,for example, an application server, or that includes a front-endcomponent, for example, a client computer having a graphical userinterface or a Web browser through which a user can interact with animplementation of the subject matter described in this disclosure, orany combination of one or more such back-end, middleware, or front-endcomponents. The components of the system can be interconnected by anyform or medium of wireline or wireless digital data communication (or acombination of data communication), for example, a communicationnetwork. Examples of communication networks include a local area network(LAN), a radio access network (RAN), a metropolitan area network (MAN),a wide area network (WAN), Worldwide Interoperability for MicrowaveAccess (WIMAX), a wireless local area network (WLAN) using, for example,802.11 a/b/g/n or 802.20 (or a combination of 802.11x and 802.20 orother protocols consistent with this disclosure), all or a portion ofthe Internet, or any other communication system, or systems at one ormore locations (or a combination of communication networks). The networkmay communicate with, for example, Internet Protocol (IP) packets, FrameRelay frames, Asynchronous Transfer Mode (ATM) cells, voice, video,data, or other suitable information (or a combination of communicationtypes) between network addresses.

The computing system can include clients and servers. A client andserver are generally remote from each other and typically interactthrough a communication network. The relationship of client and serverarises by virtue of computer programs running on the respectivecomputers and having a client-server relationship to each other.

In some implementations, any or all of the components of the computingsystem, either hardware or software (or a combination of hardware andsoftware), may interface with each other, or the interface using anapplication programming interface (API), or a service layer (or acombination of API and service layer). The API may includespecifications for routines, data structures, and object classes. TheAPI may be either computer language, independent or dependent, and referto a complete interface, a single function, or even a set of APIs. Theservice layer provides software services to the computing system. Thefunctionality of the various components of the computing system may beaccessible for all service users using this service layer. Softwareservices provide reusable, defined business functionalities through adefined interface. For example, the interface may be software written inJAVA, C++, or other suitable language providing data in extensiblemarkup language (XML) format or other suitable format. The API orservice layer (or a combination of the API and the service layer) may bean integral or a stand-alone component in relation to other componentsof the computing system. Moreover, any or all parts of the service layermay be implemented as child or sub-modules of another software module,enterprise application, or hardware module without departing from thescope of this disclosure.

While this disclosure contains many specific implementation details,these should not be construed as limitations on the scope of anyinvention or on the scope of what may be claimed, but rather asdescriptions of features that may be specific to particularimplementations of particular inventions. Certain features that aredescribed in this disclosure in the context of separate implementationscan also be implemented, in combination, in a single implementation.Conversely, various features that are described in the context of asingle implementation can also be implemented in multipleimplementations, separately or in any suitable sub-combination.Moreover, although features may be described above as acting in certaincombinations and even initially claimed as such, one or more featuresfrom a claimed combination can in some cases be excised from thecombination, and the claimed combination may be directed to asub-combination or variation of a sub-combination.

Particular implementations of the subject matter have been described.Other implementations, alterations, and permutations of the describedimplementations are within the scope of the following claims as will beapparent to those skilled in the art. While operations are depicted inthe drawings or claims in a particular order, this should not beunderstood as requiring that such operations be performed in theparticular order shown or in sequential order, or that all illustratedoperations be performed (some operations may be considered optional), toachieve desirable results. In certain circumstances, multitasking orparallel processing (or a combination of multitasking and parallelprocessing) may be advantageous and performed as deemed appropriate.

Moreover, the separation or integration of various system modules andcomponents in the implementations described above should not beunderstood as requiring such separation or integration in allimplementations, and it should be understood that the described programcomponents and systems can, generally, be integrated together in asingle software product or packaged into multiple software products.

Accordingly, the above description of example implementations does notdefine or constrain this disclosure. Other changes, substitutions, andalterations are also possible without departing from the spirit andscope of this disclosure.

Furthermore, any claimed implementation below is considered to beapplicable to at least a computer-implemented method; a non-transitory,computer-readable medium storing computer-readable instructions toperform the computer-implemented method; and a computer systemcomprising a computer memory interoperably coupled with a hardwareprocessor configured to perform the computer-implemented method or theinstructions stored on the computer-readable medium.

1. A method, comprising: identifying a function defined in a binarysoftware component, the function including one or more instructions;performing a binary static analysis of the function to determine whetherthe function utilizes stack cookie protection based on the one or moreinstructions including one or more stack cookie handling instructions;and in response to determining that the function utilizes stack cookieprotection, updating a security report for the binary software componentto indicate that the function utilizes stack cookie protection.
 2. Themethod of claim 1, further comprising: in response to determining thatthe function does not utilize stack cookie protection, updating asecurity report for the binary software component to indicate that thefunction does not utilize stack cookie protection.
 3. The method ofclaim 1, wherein the one or more stack cookie handling instructions areconfigured, when executed by a processor, to insert a particular datasequence into an execution stack maintained by the processor when thefunction is called to mark a boundary of stack data associated with thefunction.
 4. The method of claim 3, wherein the particular data sequenceis generated at compile time.
 5. The method of claim 3, wherein the oneor more stack cookie handling instructions include an instruction togenerate the particular data sequence when the function is called. 6.The method of claim 3, wherein the one or more stack cookie handlinginstructions are configured, when executed by the processor, todetermine whether the particular data sequence remains in the executionstack when the function returns after the function is called.
 7. Themethod of claim 6, wherein the one or more stack cookie handlinginstructions are configured, when executed by the processor, to causeexecution of the binary software component to halt in response todetermining that the particular data sequence does not remain in theexecution stack when the function returns.
 8. A computing device,comprising: at least one hardware processor; a non-transitorycomputer-readable storage medium coupled to the at least one hardwareprocessor and storing programming instructions for execution by the atleast one hardware processor, wherein the programming instructions, whenexecuted, cause the at least one hardware processor to performoperations comprising: determining that a binary software component wascompiled with stack cookie functionality enabled based on metadataincluded with the binary software component; identifying a functiondefined in the binary software component, the function including one ormore instructions; performing a binary static analysis of the functionto determine whether the function utilizes stack cookie protection basedon the one or more instructions including one or more stack cookiehandling instructions; and in response to determining that the functionutilizes stack cookie protection, updating a security report for thebinary software component to indicate that the function utilizes stackcookie protection.
 9. The computing device of claim 8, the operationsfurther comprising: in response to determining that the function doesnot utilize stack cookie protection, updating a security report for thebinary software component to indicate that the function does not utilizestack cookie protection.
 10. The computing device of claim 8, whereinthe one or more stack cookie handling instructions are configured, whenexecuted by a processor, to insert a particular data sequence into anexecution stack maintained by the processor when the function is calledto mark a boundary of stack data associated with the function.
 11. Thecomputing device of claim 10, wherein the particular data sequence isgenerated at compile time.
 12. The computing device of claim 10, whereinthe one or more stack cookie handling instructions include aninstruction to generate the particular data sequence when the functionis called.
 13. The computing device of claim 10, wherein the one or morestack cookie handling instructions are configured, when executed by theprocessor, to determine whether the particular data sequence remains inthe execution stack when the function returns after the function iscalled.
 14. The computing device of claim 13, wherein the one or morestack cookie handling instructions are configured, when executed by theprocessor, to cause execution of the binary software component to haltin response to determining that the particular data sequence does notremain in the execution stack when the function returns.
 15. One or morecomputer-readable media containing instructions which, when executed,cause a computing device to perform operations comprising: determiningthat a binary software component was compiled with stack cookiefunctionality enabled based on metadata included with the binarysoftware component; identifying a function defined in the binarysoftware component, the function including one or more instructions;performing a binary static analysis of the function to determine whetherthe function utilizes stack cookie protection based on the one or moreinstructions including one or more stack cookie handling instructions;and in response to determining that the function utilizes stack cookieprotection, updating a security report for the binary software componentto indicate that the function utilizes stack cookie protection.
 16. Theone or more computer-readable media of claim 15, the operations furthercomprising: in response to determining that the function does notutilize stack cookie protection, updating a security report for thebinary software component to indicate that the function does not utilizestack cookie protection.
 17. The one or more computer-readable media ofclaim 15, wherein the one or more stack cookie handling instructions areconfigured, when executed by a processor, to insert a particular datasequence into an execution stack maintained by the processor when thefunction is called to mark a boundary of stack data associated with thefunction.
 18. The one or more computer-readable media of claim 17,wherein the particular data sequence is generated at compile time. 19.The one or more computer-readable media of claim 17, wherein the one ormore stack cookie handling instructions include an instruction togenerate the particular data sequence when the function is called. 20.The one or more computer-readable media of claim 17, wherein the one ormore stack cookie handling instructions are configured, when executed bythe processor, to determine whether the particular data sequence remainsin the execution stack when the function returns after the function iscalled.